In this weekly discussion of latest news and topics around Microsoft 365, hosts –
Today’s topics: FastTrack program, evolution of SharePoint and PnPjs, and breaking change –
This episode was recorded on Monday, April 6th, 2020
Got feedback, ideas, other input – please do let us know!
The strength of the SharePoint community is one of the primary drivers for the platform’s success over the last 15-20 years. As the community has grown and strengthened, there has been a plethora of content available to end users and developers from Microsoft, MVPs, and bloggers of all experience levels.
The SharePoint Developer Documents (sp-dev-docs) have become the proven community model for content creation and management. This community-driven repository of content has become a valuable source for developer information and a feedback mechanism for the product groups.
We are now expanding the reach of our community‘s involvement with the Microsoft 365 Community Docs. Our goal is to harness the same community energy and the expertise of the people who are true implementers and practitioners of all aspects of Microsoft 365: the citizen developers, power users, site admins, end users, and other heroes who configure and use the platform to solve important business challenges every single day.
Join us!
We want to hear your voice and your perspective. Tell us about your real–world stories of solving business problems. Share with others how you use Microsoft 365. If you have solution for needs specific to your industry, we would love to hear it. Contribute scenarios to help others understand what possibilities are available.
We aren’t trying to replace any existing documentation. What we’ll be really excited to see is different ways you use the myriad of services across Microsoft 365 to solve your day to day problems. The inventiveness of this community is astounding; let’s lift the bushel and let our light shine ever more brightly.
We are excited to widen the scope of the effort and encourage everyone in the community to use the content as a set of resources as well as consider contributing to it. We expect the structure of the Microsoft 365 community docs to evolve over time as we receive more and more contributions from experienced practitioners who have been working with SharePoint for many years.
How do I contribute?
Want to get started? Not familiar with GitHub? This article shows you the way: Welcome to the Microsoft 365 Community Docs.
Still confused or need some help? Simply create an issue with your questions and we will work to help you out. If you see issues you can help with or have other content ideas, please submit an issue in the GitHub repo. Note: “Issues” may sound intimidating, but it’s the mechanism to provide input and feedback on the GitHub platform. When you add an issue, you can choose from several templates: Question, Article Suggestion, or Article Issue.
We believe the community-driven content model has been a tremendous success in the past and that this new set of docs will be another success for the entire community. Join us on this journey, and we will all succeed together. Remember: Sharing Is Caring!
Thanks to everyone who has already contributed! Every month on the PnP calls we will list the contributors, and you will be listed in the blog posts about the effort.
Why should I contribute? What’s in it for me?
Oftentimes, people wonder how they can become more active in the community. We hope this effort will become another “on ramp” where people can direct their energy – and this community has plenty of energy!
This isn’t a one-size-fits-all idea: bring your energy and we will help you figure out how you can help.
Got feedback or suggestions on this model? – Please do let us know!
The Microsoft Threat Protection team has been working hard to make your advanced hunting experience even more straightforward, interesting, and productive. With app & identity signals, custom detections, and charts now available on preview, your proactive threat hunting activities have never been as comprehensive and effective. Turn on Microsoft Threat Protection and sign up for previews to can start enjoying these new experiences and let us know what you think.
While Microsoft Threat Protection automatically flags and remediates threats, advanced hunting lets you take your response a step further by enabling you to efficiently inspect benign events that in certain contexts can be indicative of breach activity. For several months now, in Microsoft 365 security center, SecOps staff for various organizations have started hunting for clues on endpoints after receiving suspicious emails. This has been made easy and convenient by endpoint data from Microsoft Defender ATP and email data from Office 365 ATP.
Today, we’re expanding that coverage to include data from Azure ATP and Microsoft Cloud App Security with the following new schema tables:
See the full list of advanced hunting schema tables
With these new data sets, you can hunt for activities that happen across the cybersecurity attack chain. Check out the sample scenarios below to explore what you can do with the expanded schema.
With IdentityQueryEvents, you can now quickly find reconnaissance activities, such as processes performing suspicious SAMR queries against users and admins in your org.
IdentityQueryEvents
| where Timestamp > ago(7d)
| where ActionType == "SamrQuerySuccess" and isnotempty(AccountName)
| project QueryTime = Timestamp, DeviceName, AccountName, Query, QueryTarget
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(7d)
| extend DeviceName = toupper(trim(@"..*$",DeviceName))
| project ProcessCreationTime = Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine
) on DeviceName, AccountName
| where ProcessCreationTime - QueryTime between (-2m .. 2m)
| project QueryTime, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, Query, QueryTarget
With IdentityLogonEvents, you can identify possible lateral movement activities by searching for logon attempts using compromised accounts or logons over unprotected protocols, such cleartext authentications over LDAP.
This query identifies processes that have attempted to authenticate using a clear-text password, which are typically obtained using known credential theft methods.
IdentityLogonEvents
| where Timestamp > ago(7d)
| where LogonType == "LDAP cleartext" and isnotempty(AccountName)
| project LogonTime = Timestamp, DeviceName, AccountName, Application, LogonType
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where ActionType == "ConnectionSuccess"
| extend DeviceName = toupper(trim(@"..*$",DeviceName))
| where RemotePort == "389"
| project NetworkConnectionTime = Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine
) on DeviceName, AccountName
| where LogonTime - NetworkConnectionTime between (-2m .. 2m)
| project Application, LogonType, LogonTime, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine
With AppFileEvents, you can hunt for attempts to move and stage malicious content using cloud apps. The following query locates attempts to rename .docx file to .doc, possibly to bypass protection mechanisms and allow malicious macros to run.
AppFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(7d)
| project FileName, AccountName = InitiatingProcessAccountName, DeviceName
) on FileName, AccountName
| where FileName endswith "doc" and PreviousFileName endswith "docx"
| project Timestamp, FileName, PreviousFileName, Application, AccountName, DeviceName
You can also use the AppFileEvents table to hunt for exfiltration scenarios by querying for attempts to upload sensitive files to cloud apps like SharePoint, OneDrive, or Dropbox. You can use data under SensitivityLabel in the DeviceFileEvents table to locate sensitive files. However, a simpler way would be look for a specific string in file names, like sensitive in the query below:
AppFileEvents
| where ActionType == "FileUploaded"
| where Application in ("Microsoft OneDrive for Business",
"Microsoft SharePoint Online", "Dropbox")
| where FileName contains "sensitive"
| project Timestamp, ActionType, Application, FileName, FolderPath, AccountUpn,
AccountName, AccountDomain, IPAddress, Location
| take 10
For more queries, check out the Microsoft Threat Protection query repository on GitHub.
Many of you might have already benefited from custom detection alerts driven by advanced hunting queries in Microsoft Defender ATP. To simplify your hunt and optimize your use of the expanded schema, we’ve delivered the same custom detection functionality to Microsoft Threat Protection.
Using advanced hunting queries, you can now automate your hunts so that you can effortlessly check fresh signals and raise alerts for new finds. Make sure you set your custom detection rules to take immediate response actions for you.
To create one, simply run a query—we used the last example above for sensitive file uploads. If you don’t have results, simulate the activity by uploading a file called sensitive.txt to OneDrive, SharePoint, or Dropbox.
After confirming that the query runs well and returns meaningful results, click Create detection rules and start customizing your detection rule.
Note: To create custom detection rules, you need to be a security administrator or a security operator. If you have Microsoft Defender ATP RBAC turned on, make sure you have the managed security settings permission.
When identifying impacted entities, the user—identified by the AccountUpn column in this example—will work since the exfiltration event does not affect specific endpoints or mailboxes. Identifying the right impacted entities helps Microsoft Threat Protection aggregate relevant alerts, correlate incidents, and target response actions.
When you save your custom detection, it will run immediately and then run again based on your preferred interval. To check for alerts, head over to the Hunting > Custom detections > [Rule name] and open the Triggered alerts tab.
Learn more about creating custom detection rules
To help you extract insights from your queries and add some color to your work, we’ve added an option to view query results as a chart. Now available to all customers, the chart options currently include line, column, pie, scatter, and many other chart types. After running your query, select the right chart type that matches your data.
The line chart shown below highlights spikes in activity involving a specific file. Learn how to optimize queries to render effective charts
We hope you enjoyed learning about these new hunting experiences. Don’t forget to let us know what you think!
Stay safe and happy hunting!
– Microsoft Threat Protection Team
At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. With Microsoft Information Protection (MIP), we are building a unified set of capabilities for classification, labeling, and protection not only in Office apps, but also in other popular productivity services where information resides (e.g., OneDrive, SharePoint Online, and Exchange Online).
Sensitivity labels are central to Microsoft Information Protection. You can apply a sensitivity label to important documents and associate it with protection policies and actions like encryption and visual marking. You can also be assured that the protection will persist with the document throughout its life-cycle. You can also associate device and privacy policies to sensitivity labels and apply sensitivity labels to sites, teams, and Office 365 groups.
You can start using sensitivity labels by allowing users to manually classify emails and documents by applying these labels based on their assessment of the content and their interpretation of the organizational guidelines. However, users can sometimes forget to apply labels or apply them inaccurately, especially in these stressful times, so you need a method that will scale with the vast amount of data you have.
To help you achieve that scale, we are announcing public preview of automatic classification with sensitivity labels for documents stored on OneDrive and SharePoint Online, and for emails in transit in Exchange Online. The public preview will begin rolling out this week. As with manual classification, you can now set up sensitivity labels to automatically apply to Office files (e.g., PowerPoint, Excel, Word, etc.) and emails based on organizational policies. In addition to having users manually label files, you can configure auto classification policies in Microsoft 365 services like OneDrive, SharePoint Online, and Exchange Online. These policies can automatically label files at rest and emails in transit based on the rules you’ve set.
Figure 1. Three different policy modes for auto-classification policies
In the SharePoint and OneDrive document library experience, as shown in the screenshot below, users can see files that are labelled by their admin’s auto classification policy by hovering over the Sensitivity column. This ensures users are made aware of how the file got labeled – either automatically or manually.
Figure 2. Document library experience in SharePoint showing files automatically labeled
Before publishing an auto-classification policy, you will want to test how well your new policy works across your data environment. There are three main reasons for this:
To address this, we are also announcing the public preview of a capability called ‘Policy Simulator’ to assist you in validating and fine-tuning your auto-classification policies. Policy Simulator is designed to:
With Policy Simulator, you can validate and gain confidence in your policies prior to enforcement. You can publish your policies in successively broader scopes, thereby mitigating the risk of inadvertent consequences.
Figure 3. Overview of auto-classification policy simulator results
Auto-classification with sensitivity labels along with policy simulator are powerful capabilities that enable organizations to automatically designate eligible Excel, PowerPoint, Word files, and emails as sensitive in a scalable way.
To learn more about these new capabilities, including how they compares to auto-classification in Office apps for files in use, see our online documentation, “Apply a sensitivity label to content automatically”.
We are excited to roll out these capabilities and help you in your information protection journey.
For organizations, finding and governing content is critical to improve productivity. Content metadata—also called properties, attributes, columns, terms or tags—is essential for information architecture, workflow, , and compliance. Managed Metadata Service (MMS) delivers centralized management of taxonomy (hierarchies of tags and terms) and content types. Today, MMS is used to provide a unified set of terms to apply to content in Microsoft 365.
As we prepare for the general release of Project Cortex later in 2020, our first step is to update the MMS in SharePoint. In April 2020, we’ll start to release the following enhancements to Targeted Release:
Importantly, these features will require no migration or change to the data—terms or content types—in your existing MMS, but will unlock new capabilities for admins and information workers.
.
You’ll find the new term manager in the Content services section of the SharePoint admin center, providing modern, integrated controls for the creation and management of organizational taxonomies and glossaries. You’ll be able to work with your preexisting global term sets and create new sets without reconfiguring your existing MMS Taxonomy. We’ve also increased the number of terms supported at a tenant level from 200,000 to 1,000,000.
You can now manage content types in the new content type gallery in the SharePoint admin center.
What’s a content type? Content types create a hierarchy of information categories that you can use to define templates, metadata and document processing rules.
The content type list allows you to group on different columns and save custom views. The content type gallery also streamlines the process of adding, removing or changing custom columns. The new gallery provides a centralized view over content types originally established in the original site-based content type hubs.
In SharePoint lists and libraries, an updated tree view makes it easier to tag and filter content with terms.
We’ll have the product team available live to answer questions on MMS during the Project Cortex Office Hours call on May 20, 2020.
After the initial release of modern MMS experiences, we’ll be updating the site-based admin experiences to match the tenant admin interface. And we’ll have new APIs ready to empower custom development using Microsoft Graph and RESTful syntax.
Updating MMS will provide great value to SharePoint today, and MMS will be essential to delivering new premium value to Project Cortex later this year. Thank you.
In this weekly discussion of latest news and topics around Microsoft 365, hosts –
For Wictor, his latest work is in no way a departure from SharePoint rather as Azure and Microsoft 365 capabilities are working hand-in-hand, Teams opens new doors to add onto SharePoint. The group discusses the differences between developing apps for Teams vs for SharePoint. As well as differences between the requirements of knowledge workers vs first line workers –
The attraction of the Teams platform is wide access to a host of complementary capabilities –
This episode was recorded on Monday, March 30, 2020
Got feedback, ideas, other input – please do let us know!
Change agents, from virus outbreaks like COVID-19 to unexpected weather emergencies, highlight the importance of establishing and keeping open the lines of communication. The goal: to ensure everyone stays briefed on the situation and any business impacts.
To address crises, meetings move online, daily guidance email updates get sent, and dedicated sites emerge to consolidate news, related resources and topical Q&A.
This ‘how to’ post addresses the latter, to guide you through simple steps and configuration to establish a crisis management site based on a SharePoint communication site. You, too, will also find additional links to helpful guides and videos at the end.
Note: tenant admins can provision a pre-configured crisis management site using this new look book design: “Crisis Communications – announcements, news, resources, communities and calls-to-action.” Kudos and thanks to
How to create a crisis management site
Beyond reading this blog, getting from concept to live site should take no more than two hours. And before you commit to a single pixel, we suggest you take a few minutes to draft a wireframe of the site to identify desired content and information placement; this is what you see as #1 in the below four-image graphic; this, too, will start to describe what SharePoint web parts you will need.
Back of the napkin, check. Let’s get to it.
Create the site
Note: if you are unable to create sites within your Office 365 tenant, send a request to your SharePoint admin to create the site and assign you as a site owner. Once created and assigned, you can move to the next steps described in this post.
Adjust section layouts and add useful web parts
From here, it’s all about actualizing your wire frame; if it has a coffee stain on it by now – that just adds character. It’s now time to add sections, select useful web parts and content layout.
On the new crisis management site, click the highlighted Edit button. Hover your mouse below the title area and you’ll see a “+” appear: this applies to both section layouts (the “+” sign appears when hovering near the left side of the page) and when adding web parts (the “+” sign appears more in the middle of the page, and then under each added web part).
Click + to add content like text, documents, video and more; learn more about how to find and use web parts & add sections and columns.
Now, make the site useful and actionable.
Add your content, and update it any time
In the above example crisis management site (first larger graphic in this post and #4 in the above four-image graphic), it uses top navigation (mega menu), a two-column section above a single column section – all to the left of a vertically laid out section, and a total of seven web parts.
Going left-to-right, top-down, the crisis management site uses the following web parts:
There, too, are web parts to showcase videos, BI dashboards, lists and more; see all web parts in production (scroll down to the “Available web parts” section of this help article).
You can adjust content at any time. You can rearrange where content is placed – aka, drag’n’drop web parts as you need. And know that everything will look great across web and mobile, resizing to the screen your people are using to get to the information.
Categorize top navigation with important pages, sites and more
Mega menus enable site navigation to be displayed at-a-glance. This increases the ease of use and exposure of more key content. You can put up to three levels of hierarchy, both enabling visual buckets of information and increases the likelihood of resources being discovered.
Click Edit to the right of the default navigation elements to begin to add, adjust, delete and rearrange nav items. To Add a new header or sub-link, hover above header labels and select the + icon that will appear. To Edit, Move, Promote, and Remove select the ellipses next to the menu topic. Move and Promote headers and sub-links until they are in the desired position and select Save. Once you’ve arranged the hierarchy that works, click the upper right gear icon (site settings) and select Change the look. Select Mega menu and then select Save.
Make the top nav work for you. Make it your own. Learn more how to create and adjust a mega menu in SharePoint communication sites.
Last step: Share your site, aka, give the right permissions
You set permissions to grant people access to the site. And you can broadly communicate to raise awareness about the new crisis management site.
Above the site, in the upper right, you’ll see a gear icon. Click it, select Site permissions, and then click Share site. Now you can type in broader security groups, Office 365 Groups or individuals (possibly others to help you manage the site; give them Edit permissions). For a site like this, it’s common to use the “Everyone” or “Everyone except external users” and ensure they are given Read permissions so that the most users in your organization can access the site in the right way once it’s ready; this then denotes them as Site visitors. Note: I typically uncheck the “Send email” option and rather use Outlook or Yammer to broadly communicate or Teams chat to raise awareness to my teams. Once you’ve decided on the right
Learn more how to manage site permissions.
OK, on to additional materials out there to help best assess, learn and move forward.
‘How to’ webinar [now on-demand; embedded below]
Title: SharePoint: how to build a crisis management site
Description: This ‘how to’ webinar walks you through how to establish a *crisis management* site using a SharePoint communication site in Office 365, both manually and with a pre-configured site design from the Microsoft Look Book.
Date of recording: March 27, 2020
Webinar PowerPoint presentation: PDF
Two of the FAQs from the webinar that were not yet covered in this blog post:
Q: Is it possible to create multiple crisis managements sites within the same tenant?
A: Yes. You can create multiple crisis management type sites so long as you use different names for each site; aka, unique URLs.
Q: I want to create a portal for external people. Is that possible?
A: Yes. Make sure to work with your SharePoint administrator to help enable external sharing for the new site, inline with your external user governance plan before inviting guests.
Helpful, related reads and resources
Stay safe out there, wash your hands (Thanks, ellentube), and be kind to your neighbor at work and at home. Create your site. Share what you know and ask about what you don’t.
We’re here to help,
Mark Kashman, senior product manager – Microsoft
I recently worked on a case where News from associated sites are not displayed in the hub News Webpart.
This took several months to resolve due to the complexity of hub news webpart and how it integrates with the Search Engine to retrieve and display news from the associated sites.
Before getting into the problem, just providing a quick example of the News webpart configuration with a Hub Site.
Hub Site Example: The following image shows a Hub site named “hubsite” and 2 associated sites (“hubsitechild1” and hubsitechild2”)
Posting News items from the Hub:
This is what the News Webpart looks like from the root Hub Site:
Now let’s look at a child site:
By default, the News Webpart will only show news from the current site:
Site Admins will need to change this Webpart to view news from the Hub or any associated Hub site. In this example I will choose the “Hubsite”.
With this configuration “Hubsitechild1” will display News posts from the Hub site
Note: Since the retrieval of the new posts are based on search, you will not see new posts show up in the news webpart for about 5-15 minutes.
How does it work?
Example:
Note: The DepartmentID will be the Site ID of the root hub site.
Example:
GET: https://tenant.sharepoint.com/search/_api/search/query?querytext='(*)'&QueryTemplate='PromotedState:2 AND ContentTypeId:0x0101009D1CB255DA76424F860D91F20E6C4118* AND (DepartmentId:47060b5d-eb3a-4f7b-a1c0-421fc86cd0f6 OR DepartmentId:{47060b5d-eb3a-4f7b-a1c0-421fc86cd0f6})'&Properties='ClientFunction:HubNewsArticles ,EnableDynamicGroups:True'&ClientType='SPHomePagesWeb'&SelectProperties='DocID,Path,DocID,SiteID,NormSiteId,WebID,NormWebId,GroupID,Title,Description,PictureThumbnailURL,AuthorOWSUSER,SiteTitle,SPSiteUrl,SiteLogo,PromotedState,FirstPublishedDate,UniqueId,ViewCountLifetime,SiteTemplate,IsExternalContent,SPWebUrl,ContentTypeId,Language,Color,ListItemID,DepartmentId'&SourceId='8413cd39-2156-4e00-b54d-11efd9abdb89'&Sortlist='FirstPublishedDate:1'&BypassResultTypes=true&TrimDuplicates=true&EnableQueryRules=false&EnableSorting=true&StartRow=0&RowLimit=13
However, in the case that I was working, the Webpart was not displaying any news, even though the Search request was correct.
We found that the default Search Schema had been modified either manually or by a 3rd party product. In this case the managed property “ AuthorOWSUSER” is used to locate News items. If the value of this property is unexpected or NULL, Hub News items will not be displayed within the Webpart.
Here is the default setting for the “AuthorOWSUSER “managed property.
As you can see there are 2 crawled properties by default.
If either one of these crawled properties are missing, Hub News will not be displayed.
Also, we found that in some cases there is a new managed property that uses “AuthorOWSUSER” as an alias.
To resolve this issue, simply fix the modified search schema, which can be modified at the tenant level or the site collection level .
The AuthorOWSUSER property exists at both tenant level and site level.
How do we reach tenant level settings?
How do we reach site level settings?
After opening the managed properties list at the tenant/hub site level:
1. Search for “AuthorOWSUSER”
2. You see all matches, including any custom managed properties that set AuthorOWSUSER as an alias.
3. Locate the problematic Managed property and correct the issue by deleting the property or changing the alias. In this example, I will change the alias of “Thiswillbreaknews”.
4. Make sure AuthorOWSUSER is mapped to “ows_q_USER__AuthorByline” and “ows_q_USER_Author”, if the mapping is incorrect, fix it.
Please Note: Since these some of these properties are used in real-time, the problem should be resolved almost immediately. In a worst-case scenario, you will have to re-index the site , wait for Search to complete (about 15 minutes), then re-create the News Webpart.
Steps to Re-index the site:
and then select Site settings. If you don’t see Site settings, select Site information, and then select View all site settings.
For additional reading on the topics discussed in this blog see the following articles.
What is a SharePoint hub site?
Create a hub site in SharePoint
Use the News web part on a SharePoint page
Manage the search schema in SharePoint Online
Manually request crawling and re-indexing of a site, a library or a list
In this session of PnP Weekly, hosts –
Topics of discussion included:
This episode was recorded on Monday, March 23, 2020
Got feedback, ideas, other input – please do let us know!
With the announcement earlier this month that we plan to deprecate the AIP (classic) client and label management from the Azure Portal, customers are actively working to migrate their label management from the Azure Portal to the M365 Compliance portal.
This is the aim whether your plan for Windows clients is to use the Azure Information Protection (AIP) unified labeling client , or use the Microsoft Information Protection (MIP) features built-in to Office Pro Plus. This isn’t a concern For non-Windows platforms as they leverage the features built-in to our Office products.
As a recap, we discuss the strategic options for which client to use on Windows in our recent migrating to Unified Labeling webinar and the client comparison matrix in our Microsoft documentation.
After activating unified labeling one of the challenges your organization might have is the need to configure the localizations you had in AIP for MIP clients. The AIP CXE team has recently published a great blog post that can help you tackle this challenge. You can read the post here.
Thanks!
@Adam Bell on behalf of the MIP and Compliance CXE team
